O2 apologises for distributing free USB pens loaded with Windows Virus as part of marketing campaign
British mobile network provider O2 has apologised for sending malware-laden pen drives to some of its customersGetty Images

Mobile network provider O2 has reportedly sent out USB drives to some of its customers, which were accidentally infected with a "Windows specific virus". The USBs were distributed as part of a marketing campaign for an e-book. Those who received the free flash drives were also sent an email encouraging them to download an e-book.

However, shortly after the malware-laden USB pens were distributed, O2 sent out another email titled "Urgent: Information about potential virus", warning users that some of the devices sent by it contained malware and "may not be picked up by out-of-date Anti-Virus software", the Register reported.

The email stated: "The virus has the ability to install new programs onto your system including updated versions of itself and programs that might grant the virus's author remote control over your computer."

O2 told SCMagazine, "We are aware that some of the promotional USBs we sent to customers have a Windows specific virus risk associated with them. As a precaution, we've contacted those customers who received the USB and advised them to discard it. For any customers that have already used the USB or are concerned, we have a specialist team on hand to support them and guide them through any action they may need to take. We apologise for any inconvenience."

The mobile network provider maintained that most of the devices were not infected and blamed a supplier for the issue. The malware could reportedly infect nearly all versions of Windows operating systems including, Windows 95, Windows 98, Windows ME, Windows NT, Windows 2000, Windows Server 2003, Windows XP and Windows Vista.

O2's security gaffe comes on the heels of reports of O2 customer data having been put on sale by hackers on the dark web. However, O2 has denied the data breach. Personal details of O2 customers appeared to have been exposed by the breach, which was uncovered via a "credential stuffing" attack, making use of data from a previously compromised website called XSplit to match login details with O2 accounts.